Hello all,

I am trying to get some DNS data into my Network Resolution (DNS) datamodel.

I currently ingest DNS data via the Splunk Stream app which goes into an index called wn_dns_stream.
I have my CIM app white list this index for the Network Resolution (DNS) datamodel.
I have created an event type called dns_stream that is applied to all data with the dns:stream sourcetype.
I also have a tag called dns that gets applied to anything with the eventtype=dns_stream.

In the datamodel settings I can see that Network Resolution looks for the following:
(cim_Network_Resolution_indexes) tag=network tag=resolution tag=dns

When i search for 'cim_Network_Resolution_indexes' I get my wn_dns_stream index with all of its data. In this index I can see my event type and tag that I created.

I then ran this search:
| datamodel "Network_Resolution" summariesonly=true search | timechart span=1h count

this returns nothing even though searching for 'cim_Network_Resolution_indexes' tag=dns returns 300,000 events for the same time period.

Also, I have confirmed with this document that I have the appropriate fields for this data model:
https://docs.splunk.com/Documentation/CIM/4.14.0/User/NetworkResolutionDNS

Does anyone know why my data model doesn't seem to see any data?